OpenSSH security update? was Re: Issues with SSH pubkey authentication at remote server

To: debian-user@lists.debian.org
Subject: OpenSSH security update? was Re: Issues with SSH pubkey authentication at remote server
From: Stephan Beck <sbeck@secure.mailbox.org>
Date: Tue, 27 Sep 2016 09:03:00 +0000
Message-id: <[🔎] 0aaa4283-d670-42c6-5237-092f9465870b@secure.mailbox.org>
Reply-to: sbeck@secure.mailbox.org
In-reply-to: <[🔎] f03df3b9-4504-88b8-c882-cbd31a43078a@secure.mailbox.org>
References: <[🔎] efa75800-66c8-2528-6ed0-0bbc197da8c5@secure.mailbox.org> <[🔎] 201609261229.09186.lisi.reisz@gmail.com> <[🔎] b9cab824-649c-085c-826e-78ac56341544@secure.mailbox.org> <[🔎] 201609261304.58634.lisi.reisz@gmail.com> <[🔎] 95cd12eb-0705-3a27-1036-21c0c6af63dd@secure.mailbox.org> <[🔎] 20160926225000.GA15473@kazuki.local> <[🔎] f03df3b9-4504-88b8-c882-cbd31a43078a@secure.mailbox.org>

Hi,

[UPDATE]
Stephan Beck:
> Hi Mark,
> 
> Mark Fletcher:
>> On Mon, Sep 26, 2016 at 02:52:00PM +0000, Stephan Beck wrote:
>>> Hi Lisi,
>>
>>> If you look at the second line of the terminal output I reproduced, you
>>> find that the openssl component in use within the package openssh Debian
>>> Jessie is one step behind. "Standalone" OpenSSL package is now at
>>> version 1.0.1t-1+deb8u5 since September 23.
>>>
>>>> me@mymachine:~/.ssh$ ssh -vv me@theremoteserver
>>>> OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t  3 May 2016
>>>
>> Yeah there was a Debian security advisory last week with a security 
>> patch for OpenSSL. I thought the fix was already in place, certainly I 
>> got an update for OpenSSH when I updated on Sunday.
> 
> I didn't receive any update of the OpenSSH package in the past days.
> Such update would usually be communicated issuing a DSA urging people to
> upgrade, wouldn't it? And I'm subscribed to the DSA.
> Just checked and as latest I upgraded the libarchive package.

not even activating deb-src (security) and deb-src (ftp.xx.debian.org)
Sources
apt-get update
apt-get upgrade

results in any OpenSSH package being updated.

In packages.debian.org I see a sources patch that can be manually
downloaded and applied. But nothing you "get", as you say.

So, am I right? It is not included in the .deb sources that are
accessible (provided there is the entry in apt-sources.list) using the
above apt commands.

Cheers

Stephan

Reply to:

References:
- Issues with SSH pubkey authentication at remote server
  - From: Stephan Beck <sbeck@secure.mailbox.org>
- Re: Issues with SSH pubkey authentication at remote server
  - From: Lisi Reisz <lisi.reisz@gmail.com>
- Re: Issues with SSH pubkey authentication at remote server
  - From: Stephan Beck <sbeck@secure.mailbox.org>
- Re: Issues with SSH pubkey authentication at remote server
  - From: Lisi Reisz <lisi.reisz@gmail.com>
- Re: Issues with SSH pubkey authentication at remote server
  - From: Stephan Beck <sbeck@secure.mailbox.org>
- Re: Issues with SSH pubkey authentication at remote server
  - From: Mark Fletcher <mark27q1@gmail.com>
- Re: Issues with SSH pubkey authentication at remote server
  - From: Stephan Beck <sbeck@secure.mailbox.org>

Prev by Date: Re: system gobbles disk space
Next by Date: Getting Involved with Packaging [was Re: Building Debian Package From Upstream Source]
Previous by thread: Re: Issues with SSH pubkey authentication at remote server
Next by thread: Re: Issues with SSH pubkey authentication at remote server
Index(es):
- Date
- Thread